Web filtering
FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs.
- Enable FortiGuard Web Filtering at the network edge.
- Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
- Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous
Opened ports for Authentication Override in Web Filter Replacement Messages
When a firewall policy is configured with a web filter, AV or application control, or other UTM security profiles, the policy may open up one or more of ports 8008, 8010, 8015 or 8020 for authentication override and data retrieval for replacement messages, depending on the inspection mode.
When a port is open and you try to access the port on HTTP, this may result in the following behavior:
-
FortiGate replies and then redirects to the port with a block message.
-
FortiGate sends a TCP RST to close the connection.
-
FortiGate doesn’t respond.
-
FortiGate does a TCP 3-way handshake, then sends a FIN to close the connection.
Traffic does not leak through the policy. However, in some scenarios such as testing the FortiGate for open ports against PCI compliance, this may result in failure of the test case.
To work around the issue, you can close the above ports by doing the following:
config webfilter fortiguard set close-ports enable end
When
FortiGuard and Local URL Filter blocking will not be affected. |
When VDOM is enabled, edit the settings in global:
config global config webfilter fortiguard set close-ports enable end end
In the case of Application Control, use the following to disable the use of replacement messages and port 8008:
config application list edit <list> set app-replacemsg disable next end
If it is acceptable to simply change the ports to a high ephemeral port, the override ports can be changed from here:
-
Default:
config webfilter fortiguard set ovrd-auth-port-http 8008 set ovrd-auth-port-https 8010 set ovrd-auth-port-https-flow 8015 set ovrd-auth-port-warning 8020 end
-
Update:
config webfilter fortiguard set ovrd-auth-port-http <high port> set ovrd-auth-port-https <high port> set ovrd-auth-port-https-flow <high port> set ovrd-auth-port-warning <high port> end